Remainder calculating method, modular-multiplication method, remainder calculating apparatus, modular-multiplication apparatus and recording medium

ABSTRACT

In a remainder calculating method and a modular-multiplication method on the basis of a Montgomery method, a number expressed by N (N=c 2   d ±1) is used as a divisor N. In order to calculate a remainder in the case of dividing a dividend Y by a divisor N on the basis of a Montgomery method, a number expressed by a condition of N=c 2   d −1 is used as the divisor N, and the following steps are repeatedly carried out; the steps includes: a step of adding a product of a least digit value y o  of the dividend Y and c to a lower d-bit position of the dividend Y; and a step of setting a portion excluding the least digit of the additive result as a next dividend.

BACKGROUND OF THE INVENTION

The present invention relates to a remainder calculating method andapparatus, a modular-multiplication method and apparatus, and arecording medium, which are suitable for a remainder calculation, amodular-multiplication in RSA encryption processing, elliptic curveencryption processing of a public key cryptosystem. In particular, thepresent invention relates to a remainder calculating method andapparatus, a modular-multiplication method and apparatus, and arecording medium, which can carry out a calculation at a high speed withthe use of Montgomery algorithm (see Modular Multiplication WithoutTrial Division. Peter L. Montgomery, Mathematics of Computation, Volume44, Number 170, April 1985 pp. 519-521).

In recent years, the development of a computer network has rapidlyincreased an opportunity to retrieve a data base, or to send and receiveelectronic information such as an electronic mail and electronic newsvia a network. Moreover, an on-line shopping service or the like isprovided by making use of the computer network. However, with thedevelopment of the computer network, the following problems have beenpointed out; more specifically, electronic data on the network is tappedor falsified, and a certain person pretends to be another person so asto receive service without charge. In particular, tapping is easy in anetwork using a radio communication; for this reason, it is desired totake suitable measures for preventing the tapping.

In order to solve the aforesaid problems, an encryption electronic mailsystem and a user certification system using cryptography are proposed,and then, are being introduced into various networks. Therefore, it is amatter of course that encryption is an indispensable technology in thecomputer network. As one of the above cryptography, there is a publickey cryptosystem which is suitable for digital signature, that is, forcertification. However, a large quantity of processing is required forencryption/decryption;

for this reason, it is desired to carry out the encryption/decryptionprocessing at a high speed, and various high-speed algorithms have beenpublished.

The above cryptosystem is largely classified into two, that is, a secretkey cryptosystem and a public key cryptosystem. The secret keycryptosystem is a system such that a sender and a receiver mutually havethe same cryptographic key so as to carry out a cryptographiccommunication. More specifically, in the secret key cryptosystem, acertain message is encrypted on the basis of a secret cryptographic key,and thereafter, is sent to a receiver. Then, the receiver decrypts theencrypted message with the use of the cryptographic key so as to returnit to the original message, and thus, obtains an information.

The public key cryptosystem is a system such that a sender encrypts amessage with the use of a published receiver's public key, so as to sendit to the receiver, and then, the receiver decrypts the encryptedmessage with the use of his secret key, and thus, a communication isperformed. More specifically, in the public key cryptosystem, the publickey is a key used for encryption, and the secret key is a key used fordecrypting a message encrypted by the public key, and further, themessage encrypted by the public key can be decrypted by only secret key.

In the aforesaid secret key cryptosystem, a key, in which a privateindividual must keep in secret, requires by the number of communicatingpartners, and the total number of required keys is n(n−1)/2 in the caseof n person network. Moreover, the secret key cryptosystem has a problemthat a secret key must be distributed according to a certain method withrespect to a partner who makes a communication for the first time. Inorder to solve the problem, a key control center is established in alarge scale network, and the private individual keeps only secret keybetween the center and himself. In the case of carrying out acryptographic communication, a method of obtaining a secret key with thecommunicating partner from the center is employed. In this case, thetotal number of secret keys is n.

On the other hand, in the public key cryptosystem, a key, in which aprivate individual should keep in secret, is only his own secret key,and the total number of required secret keys is n in the case of nperson network. Moreover, a public key may be only distributed withrespect to a partner who makes a communication for the first time, and akey control center is established. Then, n users' public keys areregistered in a public board, and a method of obtaining a public key ofthe communicating partner from the center is employed. In this case, thecenter merely prevents a falsification of the public key, and has noneed of keeping the public key in secret. However, in the public keycryptosystem, the number of bits of the public key is much as comparedwith the secret key cryptosystem; for this reason, a file size requiredfor storing it becomes large.

In the case of certification, in the secret key cryptosystem, forexample, a message to be sent is compressed and converted with the useof a secret key, and then, is sent in a state of being added to asending text. In a receiving end, the message is compressed andconverted, and then, makes a comparison. In this case, however,send/receive is carried out with the use of the same key; for thisreason, a receiver can counterfeit a certification data. On thecontrary, the public key cryptosystem makes use of the feature that itis only person himself to encrypt the message with the use of the secretkey. A sender compresses and converts the message, and then, encrypts itwith the use of the secret key, and thus, sends it in a state of beingadded to a sending text. On the other hand, the receiver decrypts theadded data with the use of sender's public key, and then, makes acomparison with the message similarly compressed and converted. In thiscase, the receiver can not make an illegal act.

As described above, in the certification system, the technology ofpublic key cryptosystem is indispensable. However, the public keycryptosystem has a severe problem that a large quantity of processing isrequired for encryption/decryption. For this reason, in general, thesecret key cryptosystem of high speed processing is used for anencryption of message, and the public key cryptosystem is used forcertification, and thus, the above two cryptosystems are often used incombination with each other.

The public key cryptosystem mainly includes an RSA cryptosystem and anelliptic curve cryptosystem. In particular, the elliptic curvecryptosystem is noticeable because a small number of bits is requiredfor obtaining the same safety as the RSA cryptosystem. In the ellipticcurve cryptosystem, there are a cryptosystem defined on a prime fieldand a cryptosystem defined on two extension fields, and bothcryptosystems are based on a discrete logarithm problem on an ellipticcurve. A basic calculation of the elliptic curve cryptosystem is anaddition of points on an elliptic curve. The following is a descriptionon an additive algorithm in points on an elliptic curve on a primefield. (Additive algorithm in points on an elliptic curve on a primefield)

elliptic curve: y²=x³+ax+b (mod N), N: prime number

two points to be added: (X₁, y₁), (x₂, y₂)

additive result: (x₃, y₃)

An addition on points is expressed as follows

x ₃=λ² −x ₁ −x ₂ (mod N);

y ₃=λ(x₁ −x ₃)−y₁ (mod N);

λ=(y ₂ −y ₁)/(x ₂ −x ₁) (mod N)

In general, N, a, b, x₁, y₁, x₂ and y₂ are integers each of which has asize of about 160 bits. In the elliptic curve cryptosystem, a great manyof the above basic calculations are repeatedly carried out; as a result,a large quantity of multiple precision multiplications and remaindercalculations are carried out. For this reason, various high-speedmethods such as approximate method, remainder table system, Montgomery'salgorithm are proposed as the remainder calculation. Further, unlike theRSA cryptosystem, in the elliptic curve cryptosystem, even in the casewhere a specific value such as a Mersenne prime number (2^(n)−1) is usedas a modulus N of remainder, no influence is given to safety; therefore,there has been proposed a high-speed processing method using thespecific value as a modulus N of remainder.

The following is a description on a Montgomery's algorithm which is onemethod for realizing high-speed processing of the remainder calculation.

(Montgomery Algorithm)

Montgomery algorithm is the following algorithm; more specifically, whenusing a modulus N (N>1) of remainder and a base R (R>N) which isrelatively prime with the modulus N of remainder, a calculation of TR⁻¹mod N from a dividend T is performed by carrying out a division by onlybase R, and by taking advantage of this merit, a remainder calculationis carried out without using a division by N. In this case, each of N,N′, R, R⁻¹ and T is an integer, the dividend T satisfies a relation of0≦T<R·N, R⁻¹ is an inverse number of the base R on the modulus N ofremainder, and a relation of R·R⁻¹−N·N′=1 (0≦R⁻¹<N, 0≦N′<R) issatisfied.

Moreover, in the case of using a power of 2 as the base R, the divisionby the base R is replaced with a shift operation; therefore, it ispossible to process the above calculation of T→TR⁻¹ mod N at a highspeed. Next, the following is a description on an algorithm REDC(T) ofT→TR⁻¹ mod N used as an (Algorithm 1). In the (algorithm 1), it has beenproved that (T+m·N)/R is necessarily divisible.

(Algorithm 1)

An algorithm Y=REDC(T) of T→TR⁻¹ mod N is expressed as follows.

M=(T mod R)·N′ mod R

Y=(T+M·N)/R

if

Y≧N then Y=Y−N

Y<N then return Y

In one-time REDC, a remainder T mod N is not obtained, but only TR⁻¹ modN is obtained. Therefore, in order to obtain the remainder T mod N, theREDC is again carried out with in the following manner by the use of aproduct of REDC(T) and R² mod N which has been previously obtained.

REDC(REDC(T)·(R ² mod N))=(TR ⁻¹ mod N)·(R ² mod N)·R ⁻¹ mod N=TR ⁻¹ ·R² ·R ⁻¹ mod N=T mod N

In the manner as described above, it is possible to obtain the remainderT mod N.

(Extension of REDC to Multiple Precision Calculation)

In the case where the modulus N of remainder or base R is multi length,that is, multiple precision, the algorithm of REDC is extended. In thecase where the modulus N of remainder or base R is multiple precision,the calculation of (T mod R)·N′ and M·N of REDC becomes multipleprecision×multiple precision processing; for this reason, a largequantity of processing and processing time are required in a generalcomputer. In order to avoid the large quantity of processing, thefollowing is shown an (Algorithm 2) in which the above processing isextended so as to be carried out by multiple precision×single precisionprocessing.

(Algorithm 2)

The following is an algorithm in which the REDC is extended to themultiple precision.

A dividend T, a parameter N′ and an output variable Y are all r-adic,and

T=(t _(2g−1) , t _(2g−2) , . . . , t ₀)_(r),

N′=(n′ _(g−1) , n′ _(g−2) , . . . , n′ ₀)_(r),

Y=(y _(g) , y _(g−1) , . . . , y ₀)_(r),

R=r ^(g),

r=2^(k)

In the case where the condition is expressed as shown above, it ispossible to obtain TR⁻¹ mod N as a calculation of multipleprecision×single precision by the following repetitive processing of j=0to g−1. In this case, the single precision means r-adic one digit, andin the case of using the same character, basically, a large charactermeans a multiple precision, a small character means a single precision,and a small character subscript means a digit of multiple precision.FIG. 1 is a view showing a remainder calculating process by the(Algorithm 2).

Y=T

for j=0 to g−1

m=y ₀ ·n′ ₀ mod r

Y=Y+m·N

Y=Y/r

next

if

Y≧N then Y=Y−N

Y<N then return Y

Then, with the use of a product of the TR⁻¹ mod N thus obtained and thepreviously obtained R² mod N, the REDC is again carried out, andthereby, a remainder T mod N can be obtained.

(Extension of REDC to Multiple Precision Modular-multiplication)

Next, an REDC algorithm is extended to a modular-multiplication. In theabove Algorithm 2, although an input T is a value satisfying a relationof 0≦T<R·N, the input T is often a multiplicative result of integers Aand B (0≦A, B<N). In this case, the multiplication of the integers A andB is a multiple precision integer calculation; for this reason, arepetitive calculation as a multiple precision extension REDC is carriedout. In this case, when multiplication and REDC are repeatedlycalculated independently from each other, a loss by repetitivecomputational control becomes twice. In order to avoid the abovedisadvantage, the following is an (Algorithm 3) in which themultiplication and REDC are extended so as to be carried out by theidentical repetitive loop.

(Algorithm 3)

The following is an Algorithm REDC (A×B) which extends the REDC tomultiple precision modular-multiplication. Two multipliers A and B, aparameter. N′ and an output variable Y are all r-adic, and

A=(a _(g−1) , a _(g−2) , . . . . , a ₀)_(r),

B=(b _(g−1) , b _(g−2) , . . . , b ₀)_(r),

N′=(n′ _(g−1) , n′ _(g−2) , . . . , n′ ₀)_(r),

Y=(y _(g) , y _(g−1) , . . . , y ₀)_(r),

R=r ^(g),

r=2^(k)

In the case where the condition is expressed as shown above, it ispossible to obtain ABR⁻¹ mod N as a calculation multipleprecision×single precision by the following repetitive processing of j=0to g−1. FIG. 2 is a view showing a modular-multiplication process by the(Algorithm 3).

Y=0

for j=0 to g−1

Y=Y+A·b _(j)

m=y ₀ ·n′ ₀ mod r

Y=Y+m·N

Y=Y/r

next

if

Y≧N then Y=Y−N

Y<N then return Y

Then, with the use of a product of the ABR⁻¹ mod N thus obtained and thepreviously obtained R² mod N, the REDC is again carried out, andthereby, a remainder A·B mod N can be obtained.

As described above, in the elliptic curve cryptosystem, even if aspecific prime number (specific parameter) is used as a modulus ofremainder, a safety is not lost, and therefore, there is a method suchthat the specific parameter is used as a divisor so as to carry out aremainder calculation at a high speed. The above method has beenconventionally proposed in U.S. Pat. Nos. 5,271,061, 5,159,632,5,442,707, etc. However, methods proposed in these USPs are not a methodof using the specific parameter as a divisor in the case of carrying outa remainder calculation on the basis of a Montgomery method.

One method of the Montgomery method using a specific parameter has beenproposed at a general meeting of the electronic information andcommunication society in 1988 (A-7-11: elliptic curve cryptosystemapplying Montgomery arithmetic). This method is as follows. In the caseof carrying out a Montgomery remainder of a value C, assuming that acondition of N=ε2^(L−K)−1 (L: number of bits of N, k: number of bits ofprocessing unit, ε: k bits) is set as a divisor N, the Montgomeryremainder of a value C becomes equal to a Montgomery remainder of((C/2^(L−K))+ε (C mod 2^(L−K))). Thus, the Montgomery remainder of avalue C is obtained by carrying out one-time multiplication processingof multiple precision×multiple precision; on the other hand, by usingthe specific parameter, the Montgomery remainder of a value C isobtained by carrying out two-time multiplication processings of multipleprecision×single precision.

However, according to the above method, a dimension of number forcarrying out a Montgomery division is decreased, and thereby, acomputational complexity is merely reduced. Namely, the method does notachieve a reduction of a computational complexity of the Montgomerydivision by using the specific parameter. Moreover, the used specificparameter has a great limitation of ε2^(L−K)−1.

BRIEF SUMMARY OF THE INVENTION

It is, therefore, a principal object of the present invention to providea remainder calculating method and apparatus, and amodular-multiplication method and apparatus, which uses a specificparameter having a small limitation such as c2 ^(d)−1 or c2 ^(d)+1 as adivisor so as to simplify a remainder calculation andmodular-multiplication on the basis of a Montgomery method and to reducea computational complexity as compared with a conventional case.

Further, another object of the present invention is to provide arecording medium which records a computer readable program for causing acomputer to execute the aforesaid remainder method andmodular-multiplication method.

According to the present invention, in the remainder method andmodular-multiplication method on the basis of a Montgomery method, anumber expressed by N=c2 ^(d)±1 is used as a divisor N. For example, incalculating a remainder of the case where a dividend Y is divided by adivisor N, a number expressed by N=c2 ^(d)−1 is used as the divisor N,and then, the following steps are repeated. More specifically, the stepsinclude a steps of adding a product of a least digit value yo of thedividend Y and c to a lower d-bit position of the dividend Y, and a stepof using a portion excluding the least digit of the additive result as anext dividend.

Thus, it is possible to simplify a calculation in Montgomery remaindermethod and Montgomery modular-multiplication method so as to reduce acomputational complexity.

The above and further objects and features of the invention will morefully be apparent from the following detailed description withaccompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a view showing a remainder calculating process in the prior;

FIG. 2 is a view showing a modular-multiplication process in the priorart;

FIG. 3 is a view showing a remainder calculating process in a firstremainder calculation (Algorithm 4);

FIG. 4 is a view showing a remainder calculating process in a firstremainder calculation (Algorithm 4);

FIG. 5 is a view showing a remainder calculating process in a secondremainder calculation (Algorithm 4);

FIG. 6 is a view showing a remainder calculating process in a thirdremainder calculation (Algorithm 5);

FIG. 7 is a view showing a remainder calculating process in a fourthremainder calculation (Algorithm 5);

FIG. 8 is a view showing a modular-multiplication process in a firstmodular-multiplication (Algorithm 6);

FIG. 9 is a view showing a modular-multiplication process in a firstmodular-multiplication (Algorithm 6);

FIG. 10 is a view showing a modular-multiplication process in a secondmodular-multiplication (Algorithm 6);

FIG. 11 is a view showing a modular-multiplication process in a thirdmodular-multiplication (Algorithm 7);

FIG. 12 is a view showing a modular-multiplication process in a forthmodular-multiplication (Algorithm 7);

FIG. 13 is a view showing a construction of a remainder calculatingapparatus according to the present invention;

FIG. 14 is a view showing a remainder calculating process by theremainder calculating apparatus according to the present invention;

FIG. 15 is a flowchart showing an operation procedure in the remaindercalculating apparatus according to the present

FIG. 16 is a view showing a construction of a modular-multiplicationapparatus according to the present invention;

FIG. 17 is a view showing a modular-multiplication process by themodular-multiplication apparatus according to the present invention;

FIG. 18 is a flowchart showing an operation procedure in themodular-multiplication apparatus according to the present invention;

FIG. 19 is a block diagram showing a construction of a recording medium(first remainder calculation: Algorithm 4) according to the presentinvention;

FIG. 20 is a block diagram showing a construction of a recording medium(third remainder calculation: Algorithm 5) according to the presentinvention;

FIG. 21 is a block diagram showing a construction of a recording medium(first modular-multiplication: Algorithm 6) according to the presentinvention; and

FIG. 22 is a block diagram showing a construction of a recording medium(third modular-multiplication: Algorithm 7) according to the presentinvention.

DETAILED DESCRIPTION OF THE INVENTION

Each conception of a remainder calculating method and amodular-multiplication method according to the present invention will bedescribed below.

[First Remainder Calculation]

Assuming that the aforesaid divisor N of (Algorithm 2) is set as N=c2^(d)−1((d≧k, k: number of bits of processing unit), c=(c_(q−1), c_(q−2),. . . , c₀)_(r)), the following effects are obtained. More specifically,

{circumflex over (1)} m=y₀, and therefore, a calculation of m and acalculation of n′₀ are unnecessary; and

{circumflex over (2)} it is possible to replace a calculation of Y=Y+m·Nwith a calculation of Y=Y+y₀·c2 ^(d), y₀=0.

In the previous method, a multiplication of g×one-time is required; onthe contrary, in this method, a multiplication of q×one-time (g>q) and ad-bit shift are required. The method is shown as the following(Algorithm 4).

(Algorithm 4)

A dividend T, a parameter N′ and an output variable Y are all r-adic,and

T=(t _(2g−1) , t _(2g−2) , . . . , t ₀)_(r),

N′=(n′ _(g−1) , n′ _(g−2) , . . . , n′ ₀)_(r),

Y=(y _(g) , y _(g−1) ,. . . , y ₀)_(r),

R=r ^(g),

r=2^(k),

N=c 2 ^(d)−1,

c=(c _(q−1) , c _(q−2) , . . . , c ₀)_(r),

d≧k.

In the case where the condition is expressed as shown above, it ispossible to obtain TR⁻¹ mod N by the following repetitive processing ofj=0 to g−1. FIG. 3 and FIG. 4 are views showing a remainder calculatingprocess by the Algorithm 4. FIG. 4 shows an example in the case wherey₀=0 process is omitted in FIG. 3.

Y=T

for j=0 to g−1

 Y=Y+y ₀ c 2 ^(d)

y ₀=0

Y=Y/r

next

if

Y≧N then Y=Y−N

Y<N then return Y

In this case, actually, y₀=y₀−y₀ process may be carried out, or the y₀=0process may be omitted by carrying out a calculation for obtaining aninteger quotient from Y=Y/r.

[Second Remainder Calculation]

If d in the aforesaid (Algorithm 4) is set as d=ek, the calculation ofY=Y+y₀ c2 ^(d) is a process of adding y₀ c by the r-adic from a lower(e+1)-th digit (the least digit is set as lower one digit), andtherefore, a d-bit shift becomes unnecessary. FIG. 5 shows a remaindercalculating process made at this time.

[Third Remainder Calculation]

Assuming that the aforesaid divisor N of (Algorithm 2) is set as N=c2^(d)+1 ((d≧k, k: number of bits of processing unit), c=(c_(q−1),c_(q−2), . . . c₀)_(r)), the following effects are obtained. Morespecifically,

{circumflex over (1)} m=(r−y₀) mod r, and therefore, m is calculated bya subtraction; as a result, a calculation of n′₀ is unnecessary; and

{circumflex over (2)} it is possible to replace a calculation of Y=Y+m·Nwith a calculation of Y=Y+y₀c2 ^(d)+m.

In comparison with the first remainder calculation, a computationalcomplexity increases by the calculation of m, addition of m and acarrier calculation. However, the computational complexity according tothis method is less than the (Algorithm 2). The method is shown as thefollowing (Algorithm 5).

(Algorithm 5)

A dividend T, a parameter N′ and an output variable Y are all r-adic,and

T=(t _(2g−1) , t _(2g−2) , . . . , t ₀)_(r),

N′=(n′ _(g−1) , n′ _(g−2) , . . . , n′ ₀)_(r),

Y=(y _(q) , y _(q−1) , . . . , y ₀)_(r),

R=r ^(g),

r=2^(k),

N=c 2 ^(d)+1,

c=(c _(g−1) , c _(g−2) , . . . , c ₀)_(r),

d≧k

In the case where the condition is expressed as shown above, it ispossible to obtain TR⁻¹ mod N by the following repetitive processing ofj=0 to g−1. FIG. 6 is a view showing a remainder calculating process bythe Algorithm 5.

Y=T

for j=0 to g−1

 m=(r−y ₀) mod r

Y=Y+y ₀ c 2 ^(d) +m

Y=Y/r

next

if

Y≧N then Y=Y−N

Y<N then return Y

[Fourth Remainder Calculation]

If d in the aforesaid (Algorithm 5) is set as d=ek, the addition of mc2^(d) is a process of adding mc by the r-adic from a lower (e+1)-th digit(the least digit is set as lower one digit), and therefore, a d-bitshift becomes unnecessary. FIG. 7 shows a remainder calculating processmade at this time.

[First Modular-multiplication]

Like the first remainder calculation, assuming that the aforesaiddivisor N of (Algorithm 3) is set as N=c2 ^(d)−1 (d≧k, k:number of bitsof processing unit), the same effects as the first remainder calculationare obtained. This method is shown as the following (Algorithm 6).

(Algorithm 6)

Two multipliers A and B, a parameter N′ and an output variable Y are allr-adic, and

A=(a _(g−1) , a _(g−2) , . . . , a ₀)_(r),

B=(b _(g−1) , b _(g−2) , . . . , b ₀)_(r),

N′=(n′ _(g−1) , n′ _(g−2) , . . . , n′ ₀)_(r),

 Y=(y _(g) , y _(g−1) , . . . , y ₀)_(r),

R=r ^(g),

r=2^(k),

N=c 2 ^(d)−1,

c=(c _(q−1) , c _(q−2) , . . . , c ₀)_(r),

d≧k

In the case where the condition is expressed as shown above, it ispossible to obtain ABR⁻¹ mod N by the following repetitive processing ofj=0 to g−1. FIG. 8 and FIG. 9 are views showing a modular-multiplicationprocess by the Algorithm 6. FIG. 9 shows an example in the case wherey₀=0 process is omitted in FIG. 8.

Y=0

for j=0 to g−1

Y=Y+A·b _(j)

Y=Y+y ₀ c 2 ^(d)

y ₀=0

Y=Y/r

next

if

Y≧N then Y=Y=N

Y<N then return Y

In this case, actually, y₀=y₀−y₀ process may be carried out, or the y₀=0process may be omitted by carrying out a calculation for obtaining aninteger quotient from Y=Y/r.

[Second Modular-multiplication]

Like the second remainder calculation, if d in the aforesaid (Algorithm6) is set as d=ek, the calculation of Y=Y+y₀c2 ^(d) is a process ofadding y₀c by the r-adic from a lower (e+1)-th digit (the least digit isset as lower one digit), and therefore, a d-bit shift becomesunnecessary. FIG. 10 shows a modular-multiplication process made at thistime.

[Third Modular-multiplication]

Like the third remainder calculation, assuming that the aforesaiddivisor N of (Algorithm 3) is set as N=c2 ^(d)+1 (d≧k, k: number of bitsof processing unit), the same effects as the third remainder calculationare obtained. This method is shown as the following (Algorithm 7).

(Algorithm 7)

Two multipliers A and B, a parameter N′ and an output variable Y are allr-adic, and

A=(a _(g−1) , a _(g−2) , . . . , a ₀)_(r),

B=(b _(g−1) , b _(g−2) , . . ., b ₀)_(r),

N′=(n′ _(g−1) , n′ _(g−2) , . . . , n′ ₀)_(r),

Y=(y _(g) , y _(g−1) , . . . , y ₀)_(r),

R=r ^(g),

r=2^(k),

N=c 2 ^(d)+1,

c=(c _(q−1) , c _(q−2) , . . . , c ₀)_(r),

 d≧k

In the case where the condition is expressed as shown above, it ispossible to obtain ABR⁻¹ mod N by the following repetitive processing ofj=0 to g−1. FIG. 11 is a view showing a modular-multiplication processby the Algorithm 7.

Y=0

for j=0 to g−1

Y=Y+A·b _(j)

m=(r−y ₀) mod r

Y=Y+mc 2 ^(d) +m

Y=Y/r

next

if

Y≧N then Y=Y−N

Y<N then return Y

[Fourth Modular-multiplication]

Like the fourth remainder calculation, if d in the aforesaid (Algorithm7) is set as d=ek, the addition of mc2 ^(d) is a process of adding mc bythe r-adic from a lower (e+1)-th digit (the least digit is set as lowerone digit), and therefore, a d-bit shift becomes unnecessary. FIG. 12shows a modular-multiplication process made at this time.

Embodiments of the present invention will be detailedly described below.

[Embodiment 1: Remainder Calculation]

FIG. 13 is a view showing a construction of a remainder calculatingapparatus according to the present invention. The remainder calculatingapparatus shown in FIG. 13 comprises: a Y-register 1 which stores avalue of a variable Y=(Y_(g), Y_(g−1), . . . , y₀)_(r) used as adividend; a c-register 2 which stores a value of c=(c_(q−1), c_(q−2), .. . , c₀)_(r); a multiplier 3 which obtains a product of a least digitvalue y₀ of the variable Y and c; an adder 4 which adds an output(multiplicative result) of the multiplier 3 and an output (higher digit)of the Y-register 1 together; and a normalizer 5 which makes anormalization for Montgomery method.

FIG. 14 is a view showing a remainder calculating process by theremainder calculating apparatus, and FIG. 15 is a flowchart showing anoperation procedure in the remainder calculating apparatus.Incidentally, the following is an example corresponding to the aforesaidsecond remainder calculation using the Algorithm 4 (divisor N is set asN=c2 ^(d)−1, d=ek), and more specifically, g=5, and e=4.

An initial value of the variable Y (a dividend for remaindercalculation) is inputted (step S1). Then, the following processes arerepeated five times. More specifically, the processes include: a process(step S2) for obtaining yoc by means of the multiplier 3, and adding themultiplicative value and (y₅, y₄) by means of the adder 4, and thus,storing the additive result in (y₆, y₅, y₄) of the Y-register 1; and aprocess (step S3) for transferring (y₆, y₅, y₄, y₃, y₂, y₁) to (y₅, y₄,y₃, y₂, y₁, y₀) in the Y-register 1. Finally, a process for Montgomerynormalization is carried out (step S4). According to the aforesaidprocessings, it is possible to calculate TR⁻¹ mod N. Then, with the useof a product of the TR⁻¹ mod N thus obtained and a previously obtainedR² mod N, the REDC is again carried out, and thereby, a remainder T modN can be obtained.

[Embodiment 2: Modular-multiplication]

FIG. 16 is a view showing a construction of a modular-multiplicationapparatus according to the present invention. The modular-multiplicationapparatus shown in FIG. 16 comprises: a Y-register 11 which stores avalue of a variable Y=(y_(g), y_(g−1), . . . , y₀)_(r) used as adividend; an A-register 12 which stores a value of one multiplierA=(a_(g−1), a_(g−2), . . . , a₀)_(r), a B-register 13 which stores avalue of the other multiplier B=(b_(g−1), b_(g−2), . . . , b₀)_(r), ac-register 14 which stores a value of c=(C_(q−1), c_(q−2), . . . ,c₀)_(r); a selector circuit 15 which selects an input from either theY-register 11 or the A-register 12 and outputs the selected input; aselector circuit 16 which selects an input from either the B-register 13or the c-register 14 and outputs the selected input; a multiplier 17which multiplies an output from the selector circuit 15 and an outputfrom the selector circuit 16; an adder 18 which adds an output(multiplicative result) of the multiplier 17 and an output (higherdigit) of the Y-register 11 together; and a normalizer 19 which makes anormalization for Montgomery method.

FIG. 17 is a view showing a modular-multiplication process by themodular-multiplication apparatus, and FIG. 18 is a flowchart showingoperation procedures in the modular-multiplication apparatus.Incidentally, the following is an example corresponding to the aforesaidsecond modular-multiplication using the Algorithm 6 (divisor N is set asN=c2 ^(d)−1, d=ek), and more specifically, g=5, and e=4. Moreover, thefollowing data are set as a numerical value of other parameters; morespecifically, A: 160 bits, B: 160 bits, N: 160 bits, c: 32 bits, N=c2¹²⁸−1, k=32, d=128, r=2³², and R=2¹⁶⁰.

For initialization, a variable Y (Y: 192 bits) is zero-cleared (stepS11). Then, the following processes are repeated five times, that is,when i=0 to 4. More specifically, the processes include: a process (stepS12) for obtaining a partial product A×bi by means of the multiplier 17,and adding the multiplicative result to the variable Y; a process (stepS13) for obtaining y₀c by means of the multiplier 17, adding themultiplicatve result and (y₅, y₄) by means of the adder 18, and storingthe additive result in (y₆, y₅, y₄) of the Y-register 11; and a process(step S14) for transferring (y₆, y₅, y₄, y₃, y₂, y₁) to (y₅, y₄, y₃, y₂,y₁, y₀) in the Y-register 11. Finally, a process for Montgomerynormalization is carried out (step S15). According to the aforesaidprocessings, it is possible to calculate REDC (A, B, N, R)=ABR⁻¹ mod N.Then, with the use of a product of the ABR⁻¹ mod N thus obtained and apreviously obtained R² mod N, the REDC is again carried out, andthereby, a remainder A·B mod N can be obtained.

(Embodiment 3: Recording Medium)

FIG. 19 is a block diagram showing a construction of a recording medium(first remainder calculation: Algorithm 4) according to the presentinvention. In FIG. 19, a recording medium 21 is connected in online witha computer 20, and comprises, for example, a WWW (World Wide Web) servercomputer which is located far from a position where the computer 20 islocated. Further, the recording medium 21 records a program 21 a whichwill be described later. The program 21 a read from the recording medium21 controls the computer 20 so that the computer 20 carries out apredetermined calculation.

A recording medium 22 incorporated in the computer 20 comprises abuilt-in hard disk drive or ROM (Read Only Memory). Further, therecording medium 22 records a program 22 a which will be describedlater. The program 22 a read from the recording medium 22 controls thecomputer 20 so that the computer 20 carries out a predeterminedcalculation.

A recording medium 23 is used in a state of being loaded in a disk drive20 a of the computer 20. The recording medium 23 comprises, for example,a portable magnet-optical disc, CD-ROM or flexible disk. Further, therecording medium 23 records a program 23 a which will be describedlater. The program 23 a read from the recording medium 23 controls thecomputer 20 so that the computer 20 carries out a predeterminedcalculation.

The programs 21 a, 22 a or 23 a recorded in the recording medium 21, 22or 23 shown in FIG. 19 individually include the following steps. Morespecifically, the steps include: a step of adding a product of a leastdigit value y₀ of the dividend Y and c to a lower d-bit position of thedividend Y; and a step of using a portion excluding the least digit ofthe additive result as a next dividend.

FIG. 20 is a block diagram showing a construction of a recording medium(third remainder calculation: algorithm 5) according to the presentinvention. The programs 21 a, 22 a or 23 a recorded in the recordingmedium 21, 22 or 23 shown in FIG. 20 individually include the followingsteps. More specifically, the steps include: a step of adding amultiplier m to the least digit of the dividend Y and adding a productof the multiplier m and c to a lower d-bit position of the dividend Y,the multiplier m being complement on two of the least digit value yo ofthe dividend Y; and a step of using a portion excluding the least digitof the additive result as a next dividend.

FIG. 21 is a block diagram showing a construction of a recording medium(first modular-multiplication: algorithm 6) according to the presentinvention. The programs 21 a, 22 a or 23 a recorded in the recordingmedium 21, 22 or 23 shown in FIG. 21 individually include the followingsteps. More specifically, the steps include: a step of adding a partialmultiplication result A×Bi of two numbers A and B and a previous partialmodular-multiplication result so as to use the additive result as a newdividend Y; a step of adding a product of the least digit value y₀ ofthe dividend Y and c to a lower d-bit position of the dividend Y; and astep of using a portion excluding the least digit of the additive resultas a next dividend.

FIG. 22 is a block diagram showing a construction of a recording medium(third modular-multiplication: algorithm 7) according to the presentinvention. The programs 21 a, 22 a or 23 a recorded in the recordingmedium 21, 22 or 23 shown in FIG. 22 individually include the followingsteps. More specifically, the steps include: a step of adding a partialmultiplication result A×Bi of two numbers A and B and a previous partialmodular-multiplication result so as to use the additive result as a newdividend Y; a step of adding a multiplier m to the least digit of thedividend Y and adding a product of the multiplier m and c to a lowerd-bit position of the dividend Y, the multiplier m being complement ontwo of the least digit value yo of the dividend Y; and a step of using aportion excluding the least digit of the additive result as a nextdividend.

Now, the following is a description on a comparison between the presentinvention and the prior art. In the prior art, the specific parameter(N=ε2 ^(L−K)−1) as described above has been used as the divisor N, andthe multiplication of multiple precision×single precision has beencarried out two times. On the contrary, in the present invention, themultiplication of multiple precision×single precision is carried out onetime; and therefore, it is apparent to reduce a computationalcomplexity. Further, the following data are set as a numerical value ofother parameters; more specifically, N: 160 bits, c: 32 bits, d=128,N=c2 ¹²⁸−1, and the remainder calculating apparatus of the presentinvention is realized as a software. In the case of executing thesoftware by means of a 32-bits processor, in comparison between thepresent invention and the prior art, a remainder processing time (acomputational complexity) becomes about ⅕ of the prior art using anarbitrary divisor parameter.

As is evident from the above description, according to the remaindercalculating method and the modular-multiplication method of the presentinvention, a number expressed by N=c2 ^(d)±1 is used as a divisor N;therefore, it is possible to simplify a calculation in Montgomeryremainder method and Montgomery modular-multiplication method, and thus,to reduce a computational complexity.

As this invention may be embodied in several forms without departingfrom the spirit of essential characteristics thereof, the presentembodiment is therefore illustrative and not restrictive. Since thescope of the invention is defined by the appended claims rather than bythe description preceding them, and all changes that fall within metesand bounds of the claims, or equivalence of such metes and boundsthereof are therefore intended to be embraced by the claims.

What is claimed is:
 1. A remainder calculating method which calculates aremainder in the case of dividing a dividend Y by a divisor N on thebasis of a Montgomery method, wherein a number expressed by N=c2 ^(d)−1is used as the divisor N, and the method includes the followingrepeatedly carried out steps of: a first step of adding a product of aleast digit value yo of the dividend Y and c to a lower d-bit positionof the dividend Y; and a second step of using a portion excluding theleast digit of the additive result as a next dividend.
 2. The remaindercalculating method according to claim 1, wherein the first step includesa process for shifting a product of the least digit value y₀ of thedividend Y and c to a higher side by d bits so that the product is addedto the dividend Y.
 3. A remainder calculating method which calculates aremainder in the case of dividing a dividend Y by a divisor N on thebasis of a Montgomery method, wherein a number expressed by N=c2 ^(d)−1is used as the divisor N, and d is set to e time of k (d=ek), the numberof bits of k being one digit, and the method includes the followingrepeatedly carried out steps of: a first step of adding a product of aleast digit value y₀ of the dividend Y and c to a lower (e+1)−digitposition of the dividend Y; and a second step of using a portionexcluding the least digit of the additive result as a next dividend. 4.A remainder calculating method which calculates a remainder in the caseof dividing a dividend Y by a divisor N on the basis of a Montgomerymethod, wherein a number expressed by N=c2 ^(d)+1 is used as the divisorN, and the method includes the following repeatedly carried out stepsof: a first step of adding a multiplier m to the least digit of thedividend Y and adding a product of the multiplier m and c to a lowerd-bit position of the dividend Y, the multiplier m being complement ontwo of the least digit value y₀ of the dividend Y; and a second step ofusing a portion excluding the least digit of the additive result as anext dividend.
 5. The remainder calculating method according to claim 4,wherein the product of the multiplier m and c is shifted to a higherside by d bits so as to be added to the dividend Y in adding the productof the multiplier m and c to a lower d-bit position of the dividend Y.6. A remainder calculating method which calculates a remainder in thecase of dividing a dividend Y by a divisor N on the basis of aMontgomery method, wherein a number expressed by N=c2 ^(d)+1 is used asthe divisor N, and d is set to e time of k (d=ek), the number of bits ofk being one digit, and the method includes the following repeatedlycarried out steps of: a first step of adding a multiplier m to the leastdigit of the dividend Y and adding a product of the multiplier m and cto lower (e+1)−digit position of the dividend Y, the multiplier m beingcomplement on two of the least digit value y₀ of the dividend Y; and asecond step of using a portion excluding the least digit of the additiveresult as a next dividend.
 7. A modular-multiplication method whichcalculates a remainder in the case of dividing a dividend Y, which is aproduct of two numbers A and B, by a divisor N on the basis of aMontgomery method, wherein a number expressed by N=c2 ^(d)−1 is used asthe divisor N, and the method includes the following repeatedly carriedout steps of: a first step of adding a partial multiplicative result oftwo numbers A and B and the previous partial modular-multiplicationresult so as to use the additive result as a new dividend Y; a secondstep of adding a product of a least digit value y₀ of the dividend Y andc to a lower d-bit position of the dividend Y; and a third step of usinga portion excluding the least digit of the additive result as a nextmodular-multiplication result.
 8. The modular-multiplication methodaccording to claim 7, wherein the second step includes a process forshifting a product of the least digit value y₀ of the dividend Y and cto a higher side by d bits so that the product is added to the dividendY.
 9. A modular-multiplication method which calculates a remainder inthe case of dividing a dividend Y, which is a product of two numbers Aand B, by a divisor N on the basis of a Montgomery method, wherein anumber expressed by N=c2 ^(d)−1 is used as the divisor N, and d is setto e time of k (d=ek), the number of bits of k being one digit, and themethod includes the following repeatedly carried out steps of: a firststep of adding a partial multiplicative result of two numbers A and Band the previous partial modular-multiplication result so as to use theadditive result as a new dividend Y; a second step of adding a productof a least digit value y₀ of the dividend Y and c to a lower (e+1)−digitposition of the dividend Y; and a third step of using a portionexcluding the least digit of the additive result as a nextmodular-multiplication result.
 10. A modular-multiplication method whichcalculates a remainder in the case of dividing a dividend Y, which is aproduct of two numbers A and B, by a divisor N on the basis of aMontgomery method, wherein a number expressed by N=c2 ^(d)+1 is used asthe divisor N, and the method includes the following repeatedly carriedout steps of: a first step of adding a partial multiplicative result oftwo numbers A and B and the previous partial modular-multiplicationresult so as to use the additive result as a new dividend Y; a secondstep of adding a multiplier m to the least digit of the dividend Y andadding a product of the multiplier m and c to a lower d-bit position ofthe dividend Y, the multiplier m being complement on two of the leastdigit value y₀ of the dividend Y; and a third step of using a portionexcluding the least digit of the additive result as a nextmodular-multiplication result.
 11. The modular-multiplication methodaccording to claim 10, wherein the product of the multiplier m and c isshifted to a higher side by d bits so as to be added to the dividend Yin adding the product of the multiplier m and c to a lower d-bitposition of the dividend Y.
 12. A modular-multiplication method whichcalculates a remainder in the case of dividing a dividend Y, which is aproduct of two numbers A and B, by a divisor N on the basis of aMontgomery method, wherein a number expressed by N=c2 ^(d)+1 is used asthe divisor N, and d is set to e time of k (d=ek), the number of bits ofk being one digit, and the method includes the following repeatedlycarried out steps of: a first step of adding a partial multiplicativeresult of two numbers A and B and the previous partialmodular-multiplication result so as to use, the additive result as a newdividend Y; a second step of adding a multiplier m to the least digit ofthe dividend Y and adding a product of the multiplier m and c to a lower(e+1)−digit position of the dividend Y, the multiplier m beingcomplement on two of the least digit value y₀ of the dividend Y; and athird step of using a portion excluding the least digit of the additiveresult as a next modular-multiplication result.
 13. A remaindercalculating apparatus which calculates a remainder in the case ofdividing a dividend Y by a divisor N (N=c2 ^(d)−1) on the basis of aMontgomery method, comprising: a multiplier for obtaining a product of aleast digit value y₀ of the dividend Y and c; an adder for adding themultiplicative result to a lower d-bit position of the dividend Y; and aregister for storing a portion excluding the least digit of the additiveresult as a next dividend.
 14. A remainder calculating apparatus whichcalculates a remainder in the case of dividing a dividend Y by a divisorN (N=c2 ^(d)+1) on the basis of a Montgomery method, comprising: amultiplier for obtaining a product of a multiplier m and c, themultiplier m being complement on two of the least digit value y₀ of thedividend Y; an adder for adding the multiplicative result to a lowerd-bit position of the dividend Y and adding the multiplier m to theleast digit of the dividend Y; and a register for storing a portionexcluding the least digit of the additive result as a next dividend. 15.A modular-multiplication apparatus which calculates a remainder in thecase of dividing a dividend Y, which is a product of two numbers A andB, by a divisor N (N=c2 ^(d)−1 ) on the basis of a Montgomery method,comprising: a register for adding a partial multiplicative result of twonumbers A and B and the previous partial modular-multiplication resultso as to store the additive result as a new dividend Y; a multiplier forobtaining a product of a least digit value y₀ of the dividend Y and c;and an adder for adding the multiplicative result to a lower d-bitposition of the dividend Y, wherein a portion excluding the least digitof the additive result is set as a next modular-multiplication result.16. A modular-multiplication apparatus which calculates a remainder inthe case of dividing a dividend Y, which is a product of two numbers Aand B, by a divisor N (N=c2 ^(d)+1) on the basis of a Montgomery method,comprising: a register for adding a partial multiplicative result of twonumbers A and B and the previous partial modular-multiplication resultso as to store the additive result as a new dividend Y; a multiplier forobtaining a product of a multiplier m and c, the multiplier m beingcomplement on two of the least digit value y₀ of the dividend Y; and anadder for adding the multiplicative result to a lower d-bit position ofthe dividend Y and adding the multiplier m to the least digit of thedividend Y, wherein a portion excluding the least digit of the additiveresult is set as a next modular-multiplication result.
 17. A recordingmedium having a computer readable program for causing a computer tocarry out a remainder calculation in the case of dividing a dividend Yby a divisor N (N=c2 ^(d)−1) on the basis of a Montgomery method,comprising: a program for causing the computer to add a product of aleast digit value y₀ of the dividend Y and c to a lower d-bit positionof the dividend Y; and a program for causing the computer to set aportion excluding the least digit of the additive result as a nextdividend.
 18. A recording medium having a computer readable program forcausing a computer to carry out a remainder calculation in the case ofdividing a dividend Y by a divisor N (N=c2 ^(d)+1) on the basis of aMontgomery method, comprising: a program for causing the computer to adda multiplier m to the least digit of the dividend Y and to add a productof the multiplier m and c to a lower d-bit position of the dividend Y,the multiplier m being complement on two of the least digit value y₀ ofthe dividend Y; and a program for causing the computer to set a portionexcluding the least digit of the additive result as a next dividend. 19.A recording medium having a computer readable program for causing acomputer to carry out a modular-multiplication in the case of dividing adividend Y, which is a product of two numbers A and B, by a divisor N(N=c2 ^(d)−1) on the basis of a Montgomery method, comprising: a programfor causing the computer to add a partial multiplicative result of twonumbers A and B and the previous partial modular-multiplication resultso as to set the additive result as a new dividend Y; a program forcausing the computer to add a product of a least digit value y₀ of thedividend Y and c to a lower d-bit position of the dividend Y; and aprogram for causing the computer to set a portion excluding the leastdigit of the additive result as a next modular-multiplication result.20. A recording medium having a computer readable program for causing acomputer to carry out a modular-multiplication in the case of dividing adividend Y, which is a product of two numbers A and B, by a divisor N(N=c2 ^(d)+1) on the basis of a Montgomery method, comprising: a programfor causing the computer to add a partial multiplicative result of twonumbers A and B and the previous partial modular-multiplication resultso as to set the additive result as a new dividend Y; a program forcausing the computer to add a multiplier m to the least digit of thedividend Y and to add a product of the multiplier m and c to a lowerd-bit position of the dividend Y, the multiplier m being complement ontwo of the least digit value y₀ of the dividend Y; and a program forcausing the computer to set a portion excluding the least digit of theadditive result as a next modular-multiplication result.